BIN Attack Fraud

When you become a victim of e-commerce fraud, it can feel personal—but to the average fraudster, pulling off a successful attack is just a numbers game. While fraud comes in many forms, attacks that target specific individuals are less prevalent than large-scale, bot-assisted attacks that try to sift a few vulnerable, usable accounts out of vast reams of compromised data.

One decidedly impersonal but dangerous form of fraud is the BIN attack, which exploits the bank identification number used by credit card issuing banks. What is BIN attack fraud, and how can merchants protect themselves from it?

Once upon a time, an online fraudster might have needed elite hacking and programming skills to pull off a major attack, but those days have gone the way of the dial-up modem.

Today, all of the tools and resources a fraudster needs to steal other people’s money can be found on the dark web and other illicit corners of the internet.

For a price, fraudsters can help themselves to thousands of stolen card numbers and user accounts, along with the scripts and bots that automate the attack for them. The vast majority of the credentials the fraudster purchased may already be reported and shut down, but they only need one vulnerable account out of thousands to get a positive return on their investment.

Eventually, some fraudsters figured out that with sufficient time and computing power, they wouldn’t even need the stolen account numbers. BIN attack fraud is a method of generating sequences of possibly-valid credit card numbers that the fraudster can try to make purchases with. When they find a number that works, they can start using it to make big-ticket purchases for valuables they can resell for cash.

By learning how to recognize BIN attacks, merchants can have an easier time recognizing and putting a stop to them, thereby avoiding costly fees and chargebacks.

What Is BIN Attack Fraud?

BIN stands for bank identification number, which is the first four to six digits of a payment card account number. The BIN identifies the card network and the bank that issued the card, the rest of the card number is unique to the user account and includes an algorithmically-generated check digit.

In a BIN attack, the fraudster takes a BIN and uses software tools to generate a huge list of derivative account numbers.

They then employ another frequently-encountered type of e-commerce fraud, known as card testing, to try these numbers out. This involves making hundreds of quick e-commerce transactions for insignificant dollar amounts.

Most of the generated card numbers will be invalid or expired, and the transactions won’t go through. But when they do place a successful transaction, the fraudster knows that they lucked upon a working account number, which they will then quickly use to make more lucrative purchases until the fraudulent activity is noticed by the cardholder and reported.

BIN attack fraud is especially pernicious because it doesn’t involve any theft or data breaches—the victim’s card number is literally chosen by random coincidence. 

How Can Merchants Detect BIN Attack Fraud?

BIN attacks will present as card testing fraud—there’s really no way for merchants to know whether the card numbers being used in the attack are real, compromised numbers or artificially generated ones.

Card testing fraud usually looks like lots of similar transactions taking place within a short time frame, usually for very small dollar amounts. The transactions may all come from the same IP address—which is a dead giveaway—but some fraudsters will use proxies and spoofing tools to make it appear as though the transactions are coming from different sources. Most of these transactions will get declined because the account numbers aren’t valid or active.

Many anti-fraud solutions include velocity checking tools, which alert merchants when card testing appears to be taking place. If you find yourself in the middle of a card testing attack, find a way to block the suspicious transactions that are coming through.

Every one that succeeds will eventually be discovered by a cardholder and disputed, resulting in a chargeback, which will carry expensive fees and a hit to your chargeback ratio even if the transaction amount is very small.

Smaller, newer merchants are often at greater risk for card testing attacks because they aren’t as well-established as larger merchants and are less likely to have robust fraud detection systems in place. If you don’t have velocity checking tools, you can review your transaction data and look for signs such as unusual timing or geolocation, cards with similar or sequential numbers, or the same card number being attempted with different expiration dates.

How Can Merchants Prevent BIN Attack Fraud?

One thing that differentiates BIN attacks from card testing with stolen numbers is that stolen data may include the card’s security code, whereas the numbers generated for BIN attacks never do. Requiring a security code and billing address match will significantly reduce your vulnerability to low-effort fraud attacks.

If you’re using an anti-fraud software solution, features like velocity checking and device fingerprinting can help you catch these attacks early on.

Even simple fraud prevention tools can be an insurmountable roadblock for BIN attacks and other forms of fraud that rely on card testing. In order to place hundreds of transactions within a short span of time, fraudsters need to automate the process by using bots. Any form of strong customer authentication, such as 3-D Secure, will grind these bot operations to a halt, forcing the fraudster to move on to a softer target.

Conclusion

Say what you will about online fraudsters, but to counter them effectively you have to account for the fact that they can be very inventive and persistent. Just as synthetic identity theft has started to supplant the old practice of copying real people’s identities, many fraudsters are finding that making up account numbers can work just as well as stealing them.

The good news is that BIN attack fraud is still fairly crude and detectable at the point of purchase. Merchants who have educated themselves about fraud prevention and implemented a workable defensive strategy are in a good position to ward off these attacks.


Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com.

Ready to Start Reducing Chargebacks?